Table Of Contents
Creating and Configuring Zones
Overview
The Zone Home Page
Zone Status Bar
Zone Traffic Summary
Zone Status Summary
Zone Recent Events
Managing Zones
Reconfiguring a Zone
Deleting a Zone
Zone Status Icons
Creating and Configuring Zones
This chapter describes how to create and manage zones and includes the following sections:
•
Overview
•The Zone Home Page
•Managing Zones
•Zone Status Icons
Overview
A zone is a network element that the Detector monitors for DDoS attacks. A zone can be a network server, client or router; a network link or subnet or an entire network; an individual Internet user or a company; an Internet Service Provider (ISP), or any combination of the above. Once the Detector identifies a DDoS attack, it can activate a remote Guard automatically to protect the zone against the attack or notify the user to activate the Guard manually.
The Detector can analyze the traffic for different zones simultaneously, as long as their network address ranges do not overlap.
A zone is the definition of a zone element, configured so that the Detector can detect DDoS attacks against it. You assign a name to the zone, and use this name to refer to it. The zone configuration includes the following:
•Basic zone configuration—Includes the zone's name and description, the zone's network address and operation definitions, and basic networking characteristics such as the zone's bandwidth. See the "Managing Zones" section for further details.
•Policies—Define the detection policy. The policies are the mechanism that enable the Detector to analyze a particular traffic flow and take action against the flow as a result of threshold violation. The detection policies are constructed from policy templates that provide the construction guiding rules. The policies are constructed in a learning process that consists of two learning phases (see Chapter 7, "Detecting Traffic Anomalies," for further details). Action taken by the policies can range from merely notifying to activating a remote Guard to protect the zone against the DDoS attack. See Chapter 5, "Configuring Zone Filters and Policy Templates," for further details.
•Filters—Direct the diverted traffic to the required analysis modules. You can set the filter configurations and design different possibilities to customize traffic direction and anti-DDoS detection mechanisms. See Chapter 5, "Configuring Zone Filters and Policy Templates," for further details.
The Zone Home Page
The zone home page (Figure 4-1) provides a summary of the zone status.
You can navigate to this page in a number of ways:
•Select the zone from the All Zones list in the navigation pane.
•If the zone is currently in detect mode, select the zone under the Under detection list in the navigation pane.
•On the zone pages, select Zone from the navigation path.
•Select the zone from the zone list (Detector Module Summary > Zones > Zone list).
The zone home page is divided into four sections:
•Zone Status bar
•Zone Traffic summary
•Zone Status summary
•Zone Recent events
The following buttons appear beneath the zone status bar in certain circumstances:
•Detect—Switches the zone to detect mode. This is a equivalent to selecting Detection > Detect from the zone main menu and is only available if the zone is in standby.
•Deactivate—Deactivates the zone detect mode. This is equivalent to selecting Detection > Deactivate from the zone main menu and is only available if the zone is in detect mode.
•Report—Provides a link to the current attack report. This is equivalent to selecting Diagnostics > Attack reports from the zone main menu and clicking on the current attack (the attack with an end time of attack in progress). It is only available if there is a current attack in progress. See Chapter 8, "Zone Statistics and Diagnostics," for further details.
Figure 4-1 Zone Home Page
Zone Status Bar
The zone status bar provides a quick reference to the status of the zone and includes the following information:
•The zone name.
•The zone operation mode— Indicates whether the zone is in automatic protect mode or in interactive protect mode. The operation mode only appears if the zone is active and it appears in brackets. See the "Managing Zones" section for further details.
•The zone status—Indicates zone operation mode. The status can be one of the following:
Under detection, Inactive, Constructing policy and Tuning thresholds
See the "Zone Status Summary" section for further details.
•Indication of new recommendations—Indicates that new recommendations are available. This indication is available only if the Detector module is in interactive protect mode. See "Interactive Detect Mode" section on page 7-6 for further details.
Zone Traffic Summary
The zone traffic summary graph displays the received traffic rate over the last two hours in bits per second (bps).
Table 4-1 describes the fields that appear below the zone traffic summary graph.
Table 4-1 Field Descriptions for Fields below Zone Traffic Summary Graph
Field
|
Description
|
Min
|
The minimum traffic rate measured over the last two hours in bits per second (bps).
|
Max
|
The maximum traffic rate measured over the last two hours in bits per second (bps).
|
Avg
|
The average traffic rate measured over the last two hours in bits per second (bps).
|
Cur
|
The current traffic rate in bits per second (bps).
|
Zone Status Summary
The zone status summary provides the following information:
•The number of active Dynamic filters.
Active Dynamic filters provides a link to the Dynamic filters page. See "Dynamic Filters" section on page 7-3 for further details.
•The number of pending Dynamic filters. The number of pending Dynamic filters is greater than 1 when the zone is in interactive protect mode and there are new recommendations.
Pending Dynamic filters provides a link to the recommendations page. See the "Dynamic Filters" section on page 7-3 for further details on dynamic filters. See the "Interactive Detect Mode" section on page 7-6 for further details on recommendations.
•Last attack time—The date and time of the last attack on the zone.
•Activation time—The date and time that protect mode was activated.
Zone Recent Events
The recent events table displays the recent events in the zone with a minimum severity level of notify. These events also appear in the zone event log and the Detector module event log.
Managing Zones
To stay attuned to the zone traffic and detect traffic anomalies and DDoS attacks, you must configure the zone network characteristics on the Detector.
To create a new zone, perform one of the following:
•From the Detector module main menu select Zones > Create Zone
•From the Detector module main menu select Zones > Zone list and click Add
•From the zone main menu select Main > Create Zone
•From the zone main menu select Main > Save as
This copies the current basic zone configuration to a new zone. It is equivalent to the zone CLI command with the option copy-from-this. Refer to the Cisco Traffic Anomaly Detector Module Configuration Guide for further details.
Table 4-2 describes the zone basic configuration fields.
Table 4-2 Field Descriptions for Zone Configuration
Field
|
Description
|
Name
|
The name of a new zone. The name is an alphanumeric from 1 to 63 characters. The string must start with a letter, can contain underscores but cannot contain any spaces.
|
Description
|
A description of the zone. The string length is limited to a maximum of 80 characters.
|
From Template
|
A template that defines the zone configuration. The Template can be one of the following:
•DEFAULT—The Detector module default zone template.
•Bandwidth Limited Link Templates—Templates designed to detect large subnets, segmented according to zones with known bandwidth. You can assume detection on zones defined by these templates without undergoing the learning process. We recommend that you define such zones with protect-ip state of only-dest-ip. See Protect-IP state in this table for further details.
The following Bandwidth Limited Link templates are available for 128K, 1M, 4M, and 512K links respectively:
–LINK_128K
–LINK_1M
–LINK_4M
–LINK_512K
You cannot perform policy construction for these templates.
|
Operation mode
|
The mode used for activating zone Dynamic filters. Possible values are:
•Automatic—The Dynamic filters will be activated automatically.
•Interactive—The interactive mode enables you to define the action taken for each Dynamic filter. The Dynamic filters recommended by the policies, appear as recommendations. You can specify whether to accept or reject each Dynamic filter.
See "Interactive Detect Mode" section on page 7-6 for further details.
|
Flex filter
|
(Optional) The Flex filter configuration. See the"Configuring the Flex Filter" section on page 5-3 for further details.
|
Filter Action
|
(Optional) The Flex filter action. Possible values are:
•disable—The Flex filter is disabled.
•count—The Flex filter is used to count the flow.
|
Protect-IP state
|
The Guard-protection form the Detector module uses to activate remote Guards. The Guard-protection form is designed to save Detector module and Guard resources and better focus on the zone detection and protection requirements. Choose the state from the drop-down list.
The state can be one of the following:
•All-Zone—The Detector module activates the Guard to assume protection over the overall zone whenever a traffic anomaly is detected. We recommend this strategy when the overall zone consists of intra-related zones that cannot be risked.
•only-dst-ip—The Detector module activates the Guard protection over a particular zone once a traffic anomaly can be traced as destined to that particular zone. You may want to assume protection for an attacked zone and not spend valuable protection resources over the overall zone.
•policy-type—The Detector module activates the Guard protection over a particular zone once a traffic anomaly can be traced as destined to the particular zone. The Detector module also activates the Guard protection over the overall zone once the detected anomaly cannot be traced as being destined to a particular zone. We recommend using this strategy when the overall zone is made up of certain zones that are closely related. You may want to avoid a situation in which a targeted zone could inflict damage on the overall zone.
|
IP address
|
The zone IP address.
|
Mask
|
The zone address mask. Select the address mask from the drop-down list.
|
After you create the zone, the Detector module displays the configuration in three tables.
To change the zone basic configuration, click the Config button below the first table and enter the parameters in the Zone Form.
To change the Flex filter configuration, click Config below the second table with the Flex filter information, and enter the parameters in the Zone Form. See the "Configuring the Flex Filter" section on page 5-3.
To add additional IP addresses and subnets, click the Add button under the third (IP) table. You should repeat this for each zone IP address or subnet mask. You can enter or delete additional IP addresses and subnets while the zone is active.
Reconfiguring a Zone
To reconfigure an existing zone, select Configuration > General from the zone main menu and click the Config button below the first table.
Deleting a Zone
To delete a zone, select Zones > Zone list from the Detector module main menu, select the check box for the zone and click Delete.
Zone Status Icons
Icons represent the zone status and appear in the navigation pane and in the zone status bar. Table 4-3 describes the zone status icons.
Table 4-3 Zone Status Icons
Icon
|
Status
|
|
Zone in standby mode
|
|
Zone in the learning process (the policy contruction phase or the threshold tuning phase)
|
|
Zone in protect mode
|
|
New recommendations. This icon appears in addition to the zone icon and indicates that new recommendations are available.
|
